Stowage/pycryptodome
2
0
Fork 0
mirror of https://github.com/Legrandin/pycryptodome.git synced 2025-11-03 07:01:24 +00:00
Code Issues Projects Releases Packages Wiki Activity
pycryptodome/lib/Crypto/Signature/DSS.py

403 lines
14 KiB
Python
Raw Permalink Normal View History

Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
#
# Signature/DSS.py : DSS.py
#
# ===================================================================
#
Start licensing under BSD 2-Clause
2014-06-23 22:20:10 +02:00
# Copyright (c) 2014, Legrandin <helderijs@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
# ===================================================================
"""
Digital Signature Standard (DSS), as specified in `FIPS PUB 186`__.
A sender signs a message in the following way:
>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import DSA
>>> from Crypto.Signature import DSS
>>>
>>> message = b'I give my permission to order #4355'
>>> key = DSA.importKey(open('privkey.der').read())
>>> h = SHA256.new(message)
>>> signer = DSS.new(key, 'fips-186-3')
>>> signature = signer.sign(h)
The receiver can verify authenticity of the message:
>>> key = DSA.importKey(open('pubkey.der').read())
>>> h = SHA256.new(received_message)
>>> verifier = DSS.new(key, 'fips-186-3')
Adjust DSS example
2015-03-13 20:40:29 +01:00
>>> try:
>>> verifier.verify(h, signature):
>>> print "The signature is authentic."
>>> except ValueError:
>>> print "The signature is not authentic."
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
.. __: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
"""
__all__ = ['new', 'DSS_SigScheme']
from Crypto.Util.py3compat import *
from Crypto import Random
from Crypto.Random.random import StrongRandom
from Crypto.Util.asn1 import DerSequence
from Crypto.Util.number import size as bit_size, long_to_bytes, bytes_to_long
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
from Crypto.Hash import HMAC
Add Crypto.Signature.pkcs1_v1_5 module with NIST test vectors Crypto.Signature.PKCS1_v1_5 is reverted to old behavior it had in PyCrypto (verify raises no exception; it only returns True or False).
2015-07-01 21:04:12 +00:00
def hash_is_shs(msg_hash):
"""Return True if hash is SHA-1, SHA-2 or SHA-3"""
return msg_hash.oid == "1.3.14.3.2.26" or \
msg_hash.oid.startswith("2.16.840.1.101.3.4.2.")
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
class DSS_SigScheme(object):
"""This signature scheme can perform DSS signature or verification."""
#: List of L (bit length of p) and N (bit length of q) combinations
#: that are allowed by FIPS 186-3.
fips_186_3_ln = ((1024, 160), (2048, 224), (2048, 256), (3072, 256))
def __init__(self, key, mode, encoding='binary', randfunc=None):
"""Initialize this Digital Signature Standard object.
:Parameters:
key : a DSA key object
If the key has the private half, both signature and
verification are possible.
If it only has the public half, verification is possible
but not signature generation.
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
Let *L* and *N* be the bit lengths of the modules *p* and *q*.
If mode is *'fips-186-3'*,
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
the combination *(L,N)* must apper in the following list,
in compliance to section 4.2 of `FIPS-186`__:
- (1024, 160)
- (2048, 224)
- (2048, 256)
- (3072, 256)
Note that the FIPS specification also defines how the key
must be generated. PyCrypto does not generate DSA keys
in a FIPS compliant way.
mode : string
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
The parameter can take these values:
- *'fips-186-3'*. The signature generation is carried out
according to `FIPS-186`__: the nonce *k* is taken from the RNG.
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
- *'deterministic-rfc6979'*. The signature generation
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
process does not rely on a random generator.
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
See RFC6979_.
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
encoding : string
How the signature is encoded. This value determines the output of
``sign`` and the input of ``verify``.
The following values are accepted:
- *'binary'*, the signature is the raw concatenation
of *r* and *s*. The size in bytes of the signature is always
two times the size of *q*.
- *'der'*, the signature is a DER encoded SEQUENCE with two
INTEGERs, *r* and *s*. The size of the signature is variable.
randfunc : callable
The source of randomness. If `None`, the internal RNG is used.
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
It is not used under mode *'deterministic-rfc6979'*.
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
.. __: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
.. __: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
.. _RFC6979: http://tools.ietf.org/html/rfc6979
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
"""
# The goal of the 'mode' parameter is to avoid to
# have the current version of the standard as default.
#
# Over time, such version will be superseded by (for instance)
# FIPS 186-4 and it will be odd to have -3 as default.
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
self._deterministic = False
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
if mode == 'deterministic-rfc6979':
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
self._deterministic = True
elif mode not in ('fips-186-3', ):
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
raise ValueError("Unknown DSS mode '%s'" % mode)
if encoding not in ('binary', 'der'):
raise ValueError("Unknown encoding '%s'" % encoding)
if randfunc is None:
randfunc = Random.get_random_bytes
self._encoding = encoding
self._randfunc = randfunc
# Verify that lengths of p and q are standard compliant
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
self._l, self._n = [(bit_size(x) + 7) >> 3 for x in (key.p, key.q)]
if not self._deterministic:
if (self._l * 8, self._n * 8) not in self.fips_186_3_ln:
raise ValueError("L/N (%d, %d) is not compliant"
" to FIPS 186-3" %
(self._l, self._n))
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
self._key = key
def can_sign(self):
"""Return True if this signature object can be used
for signing messages."""
return self._key.has_private()
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
def _bits2int(self, bstr):
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
"""See 2.3.2 in RFC6979"""
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
result = bytes_to_long(bstr)
q_len = bit_size(self._key.q)
b_len = len(bstr) * 8
if b_len > q_len:
result >>= (b_len - q_len)
return result
def _int2octets(self, int_mod_q):
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
"""See 2.3.3 in RFC6979"""
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
if not (0 < int_mod_q < self._key.q):
raise ValueError("Wrong input to int2octets()")
return long_to_bytes(int_mod_q, self._n)
def _bits2octets(self, bstr):
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
"""See 2.3.4 in RFC6979"""
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
z1 = self._bits2int(bstr)
if z1 < self._key.q:
z2 = z1
else:
z2 = z1 - self._key.q
return self._int2octets(z2)
def _compute_nonce(self, mhash):
"""Generate k in a deterministic way"""
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
# See section 3.2 in RFC6979.txt
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
# Step a
h1 = mhash.digest()
# Step b
mask_v = bchr(1) * mhash.digest_size
# Step c
nonce_k = bchr(0) * mhash.digest_size
for int_oct in 0, 1:
# Step d/f
nonce_k = HMAC.new(nonce_k,
mask_v + bchr(int_oct) +
self._int2octets(self._key.x) +
self._bits2octets(h1), mhash).digest()
# Step e/g
mask_v = HMAC.new(nonce_k, mask_v, mhash).digest()
nonce = -1
while not (0 < nonce < self._key.q):
# Step h.C (second part)
if nonce != -1:
nonce_k = HMAC.new(nonce_k, mask_v + bchr(0),
mhash).digest()
mask_v = HMAC.new(nonce_k, mask_v, mhash).digest()
# Step h.A
mask_t = b("")
# Step h.B
while len(mask_t) < self._n:
mask_v = HMAC.new(nonce_k, mask_v, mhash).digest()
mask_t += mask_v
# Step h.C (first part)
nonce = self._bits2int(mask_t)
return nonce
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
def sign(self, msg_hash):
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
"""Produce the DSS signature of a message.
:Parameters:
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
msg_hash : hash object
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
The hash that was carried out over the message.
The object belongs to the `Crypto.Hash` package.
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
Under mode *'fips-186-3'*, the hash must be a FIPS
approved secure hash (SHA-1 or a member of the SHA-2 family).
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
:Return: The signature encoded as a byte string.
:Raise ValueError:
If the hash algorithm is incompatible to the DSA key.
:Raise TypeError:
If the DSA key has no private half.
"""
# Generate the nonce k (critical!)
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
if self._deterministic:
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
nonce = self._compute_nonce(msg_hash)
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
else:
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
if self._n > msg_hash.digest_size * 8:
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
raise ValueError("Hash is not long enough")
Add Crypto.Signature.pkcs1_v1_5 module with NIST test vectors Crypto.Signature.PKCS1_v1_5 is reverted to old behavior it had in PyCrypto (verify raises no exception; it only returns True or False).
2015-07-01 21:04:12 +00:00
if not hash_is_shs(msg_hash):
raise ValueError("Hash does not belong to SHS")
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
rng = StrongRandom(randfunc=self._randfunc)
nonce = rng.randint(1, self._key.q - 1)
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
Clean up Crypto.PublicKey module This patch does a few things to simplify the public key classes (RSA, DSA and ElGamal): * It removes the Crypto.PublicKey.pubkey module. The 3 classes do not have an ancestor anymore. * Methods sign(), verify(), encrypt(), and decrypt() are removed. * Methods blind() and unblind() are removed. * Methods can_sign() and can_encrypt() are removed. * The 3 classes cannot be pickled anymore.
2014-06-16 21:42:39 +02:00
# Perform signature using the raw API
z = bytes_to_long(msg_hash.digest()[:self._n])
sig_pair = self._key._sign(z, nonce)
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
# Encode the signature into a single byte string
if self._encoding == 'binary':
output = b("").join([long_to_bytes(x, self._n)
for x in sig_pair])
else:
# Dss-sig ::= SEQUENCE {
# r OCTET STRING,
# s OCTET STRING
# }
der_seq = DerSequence(sig_pair)
output = der_seq.encode()
return output
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
def verify(self, msg_hash, signature):
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
"""Verify that a certain DSS signature is authentic.
This function checks if the party holding the private half of the key
really signed the message.
:Parameters:
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
msg_hash : hash object
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
The hash that was carried out over the message.
This is an object belonging to the `Crypto.Hash` module.
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
Under mode *'fips-186-3'*, the hash must be a FIPS
approved secure hash (SHA-1 or a member of the SHA-2 family).
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
signature : byte string
The signature that needs to be validated.
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
:Raise ValueError:
If the signature is not authentic.
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
"""
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
if not self._deterministic:
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
if self._n > msg_hash.digest_size * 8:
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
raise ValueError("Hash is not long enough")
Add Crypto.Signature.pkcs1_v1_5 module with NIST test vectors Crypto.Signature.PKCS1_v1_5 is reverted to old behavior it had in PyCrypto (verify raises no exception; it only returns True or False).
2015-07-01 21:04:12 +00:00
if not hash_is_shs(msg_hash):
raise ValueError("Hash does not belong to SHS")
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
if self._encoding == 'binary':
if len(signature) != (2 * self._n):
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
raise ValueError("The signature is not authentic")
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
r_prime, s_prime = [bytes_to_long(x)
for x in (signature[:self._n],
signature[self._n:])]
else:
try:
der_seq = DerSequence()
der_seq.decode(signature)
except (ValueError, IndexError):
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
raise ValueError("The signature is not authentic")
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
if len(der_seq) != 2 or not der_seq.hasOnlyInts():
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
raise ValueError("The signature is not authentic")
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
r_prime, s_prime = der_seq[0], der_seq[1]
if not (0 < r_prime < self._key.q) or not (0 < s_prime < self._key.q):
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
raise ValueError("The signature is not authentic")
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
Clean up Crypto.PublicKey module This patch does a few things to simplify the public key classes (RSA, DSA and ElGamal): * It removes the Crypto.PublicKey.pubkey module. The 3 classes do not have an ancestor anymore. * Methods sign(), verify(), encrypt(), and decrypt() are removed. * Methods blind() and unblind() are removed. * Methods can_sign() and can_encrypt() are removed. * The 3 classes cannot be pickled anymore.
2014-06-16 21:42:39 +02:00
z = bytes_to_long(msg_hash.digest()[:self._n])
result = self._key._verify(z, (r_prime, s_prime))
Failed signature verifications raise an exception. Until now, the verify() method of a Crypto.Signature object returns False if a signature is not authentic. With this change set, verify() now raises a ValueError exception. The return value of verify() must not be checked anymore. NOTE: this change sets breaks compatibility with PyCrypto
2014-06-07 21:00:50 +02:00
if not result:
raise ValueError("The signature is not authentic")
# Make PyCrypto code to fail
return False
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
def new(key, mode, encoding='binary', randfunc=None):
"""Return a signature scheme object `DSS_SigScheme` that
can be used to perform DSS signature or verification.
:Parameters:
key : a DSA key object
If the key has got its private half, both signature and
verification are possible.
If it only has the public half, verification is possible
but not signature generation.
If *L* and *N* are the bit lengths of the modules *p* and *q*,
the combination *(L,N)* must appear in the following list,
in compliance to section 4.2 of `FIPS-186`__:
- (1024, 160)
- (2048, 224)
- (2048, 256)
- (3072, 256)
mode : string
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
The parameter can take these values:
- *'fips-186-3'*. The signature generation is carried out
according to `FIPS-186`__: the nonce *k* is taken from the RNG.
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
- *'deterministic-rfc6979'*. The signature generation
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
process does not rely on a random generator.
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
See RFC6979_.
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
encoding : string
How the signature is encoded. This value determines the output of
``sign`` and the input of ``verify``.
The following values are accepted:
- *'binary'*, the signature is the raw concatenation
of *r* and *s*. The size in bytes of the signature is always
two times the size of *q*.
- *'der'*, the signature is a DER encoded SEQUENCE with two
INTEGERs, *r* and *s*. The size of the signature is variable.
randfunc : callable
The source of randomness. If ``None``, the internal RNG is used.
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
It is not used under mode *'deterministic-rfc6979'*.
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
.. __: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
Add support for deterministic DSA. This patch implements the variant of DSA described in http://tools.ietf.org/html/draft-pornin-deterministic-dsa-02. The nonce k is not taken from the RNG: instead, it is derived from the message and the key. DSA is still secure even on platforms where the RNG is not reliable (e.g. in VMs).
2013-07-17 08:21:04 +02:00
.. __: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
IETF draft has become RFC6979
2013-08-09 21:58:51 +02:00
.. _RFC6979: http://tools.ietf.org/html/rfc6979
Implement a robust DSA API. This patch introduces a new module (Crypto.Signature.DSS) with a less error prone API for performing DSA signatures. Similarly to Crypto.Signature.PKCS1_PSS, the module creates a signer object that only works with hash objects, not directly with messages. Additionally, the caller does not need to provide any RNG. The module will use the default one and will correctly pick the critical nonce K. Example of API usage: >>> from Crypto.Signature.DSS >>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import DSA >>> >>> message = b'I give my permission to order #4355' >>> key = DSA.importKey(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key) >>> signature = signer.sign(h)
2013-07-08 22:40:07 +02:00
"""
return DSS_SigScheme(key, mode, encoding, randfunc)
Reference in a new issue Copy permalink